Security
Defaults that hold up under audit.
WAF, brute-force defense, automatic security headers, SSH-CA host certificates, encrypted off-site backups, full audit log. The threat model is in the docs — read it before you ask.
What's on by default
You don't have to enable anything to get a hardened site.
Edge WAF
OWASP-aligned ruleset at the edge. Bot scoring. Geo-blocking for sites that need it.
Brute-force defense
/wp-login, /admin, /xmlrpc — rate-limited and challenged by default. Per-IP and per-account.
Security headers
HSTS (preload-eligible), X-Frame-Options, CSP baseline, Referrer-Policy, Permissions-Policy. All pre-set.
SSH-CA host certificates
Short-lived SSH certs from a central CA. No long-lived keys floating around. Revocable in seconds.
Full audit log
Every login, every key, every deploy, every cert. Streamed to your SIEM on Enterprise.
DPA on request
GDPR-clean residency. Standard Contractual Clauses where needed. Sub-processor list public.
Compliance
What we have, and what's in flight.
GDPRDPA on requestSOC 2 Type I · Q3 2026SOC 2 Type II · Q1 2027ISO 27001 · Q4 2026PCI-DSS SAQ-A · Q3 2026
For the up-to-date compliance summary and to download our threat model, visit cubitrace.com/trust. Security disclosures go to [email protected] — we ack within 24 hours, fix within our published SLAs.
Disclose responsibly
Found something? We pay bounties.
[email protected] · PGP key on /security · in-scope assets and rewards published.